83b491f66cbcc39a71daff3cb9f2e6228a77959aebdf6a87b4c95f884de588a4

Reason

Machine shutdown

General

Target

Sound Blaster creative set-up.fix.exe
Size

202KB
MD5

69e54877c8aee907efaad8e96ffa8bad
SHA1

fa005fa2f233fb07c0a58b06b0c88610164097a8
SHA256

83b491f66cbcc39a71daff3cb9f2e6228a77959aebdf6a87b4c95f884de588a4
SHA512

db4d864dd8ae525b48941491ff257e8eee64ba93cdf1e9fd96a21d124bc01dfe660fe9451a87cb306964c2966854a0626d5f777bb35aec47c83c5956f2f4b917
SSDEEP

3072:9nx83hRxFJiN09QcRD21e+/2EIjcvlCHQnDPvrcUPn6+byteiYD8+YdzNrj:FCxiN0f1fcvlCwnDbvytDYo7

Score

8^/10

evasion execution

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\Control Panel\International\Geo\Nation	Sound Blaster creative set-up.fix.exe

Executes dropped EXE 1 IoCs

pid	Process
1004	dllhost.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2024	sc.exe
5060	sc.exe
4924	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
1016	taskkill.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3860	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3860	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4684 wrote to memory of 1004	4684	Sound Blaster creative set-up.fix.exe	84
PID 4684 wrote to memory of 1004	4684	Sound Blaster creative set-up.fix.exe	84
PID 4684 wrote to memory of 1004	4684	Sound Blaster creative set-up.fix.exe	84
PID 1004 wrote to memory of 320	1004	dllhost.exe	85
PID 1004 wrote to memory of 320	1004	dllhost.exe	85
PID 1004 wrote to memory of 320	1004	dllhost.exe	85
PID 320 wrote to memory of 3860	320	cmd.exe	87
PID 320 wrote to memory of 3860	320	cmd.exe	87
PID 320 wrote to memory of 3860	320	cmd.exe	87
PID 1004 wrote to memory of 684	1004	dllhost.exe	88
PID 1004 wrote to memory of 684	1004	dllhost.exe	88
PID 1004 wrote to memory of 684	1004	dllhost.exe	88

C:\Users\Admin\AppData\Local\Temp\Sound Blaster creative set-up.fix.exe
"C:\Users\Admin\AppData\Local\Temp\Sound Blaster creative set-up.fix.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4684
- C:\ProgramData\dllhost.exe
  "C:\ProgramData\dllhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1004
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:320
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableRealtimeMonitoring $true
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3860
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c sc query windefend
    3⤵
    PID:684
  - - C:\Windows\SysWOW64\sc.exe
      sc query windefend
      4⤵
      Launches sc.exe
      PID:2024
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c sc stop windefend
    3⤵
    PID:4712
  - - C:\Windows\SysWOW64\sc.exe
      sc stop windefend
      4⤵
      Launches sc.exe
      PID:5060
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c sc delete windefend
    3⤵
    PID:2028
  - - C:\Windows\SysWOW64\sc.exe
      sc delete windefend
      4⤵
      Launches sc.exe
      PID:4924
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c taskkill /f /im svchost.exe
    3⤵
    PID:2496
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im svchost.exe
      4⤵
      Kills process with taskkill
      PID:1016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1

T1569

Service Execution

1

T1569.002

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\dllhost.exe

Filesize
202KB

MD5
69e54877c8aee907efaad8e96ffa8bad

SHA1
fa005fa2f233fb07c0a58b06b0c88610164097a8

SHA256
83b491f66cbcc39a71daff3cb9f2e6228a77959aebdf6a87b4c95f884de588a4

SHA512
db4d864dd8ae525b48941491ff257e8eee64ba93cdf1e9fd96a21d124bc01dfe660fe9451a87cb306964c2966854a0626d5f777bb35aec47c83c5956f2f4b917

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qa511pa0.0oa.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1004-13-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download
memory/1004-14-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download
memory/3860-20-0x0000000006180000-0x00000000061E6000-memory.dmp

Filesize
408KB

Download
memory/3860-19-0x0000000005830000-0x0000000005852000-memory.dmp

Filesize
136KB

Download
memory/3860-33-0x00000000068A0000-0x00000000068EC000-memory.dmp

Filesize
304KB

Download
memory/3860-15-0x00000000725DE000-0x00000000725DF000-memory.dmp

Filesize
4KB

Download
memory/3860-16-0x0000000005230000-0x0000000005266000-memory.dmp

Filesize
216KB

Download
memory/3860-17-0x00000000725D0000-0x0000000072D80000-memory.dmp

Filesize
7.7MB

Download
memory/3860-18-0x0000000005920000-0x0000000005F48000-memory.dmp

Filesize
6.2MB

Download
memory/3860-32-0x0000000006870000-0x000000000688E000-memory.dmp

Filesize
120KB

Download
memory/3860-31-0x00000000062D0000-0x0000000006624000-memory.dmp

Filesize
3.3MB

Download
memory/3860-21-0x0000000006260000-0x00000000062C6000-memory.dmp

Filesize
408KB

Download
memory/4684-1-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download
memory/4684-0-0x0000000074832000-0x0000000074833000-memory.dmp

Filesize
4KB

Download
memory/4684-12-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download
memory/4684-2-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

Errors